Threat Description

Trojan-Spy:​W32/Montp

Details

Aliases:Trojan-Spy:​W32/Montp, TrojanSpy.Win32.Montp.f
Category:Malware
Type:Trojan-Spy
Platform:W32

Summary



A trojan that secretly installs spy programs, such as keyloggers.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Trojan-Spy:W32/Montp identifies a powerful data-stealing program that collects information from users of numerous on-line banks and sends the collected data to a hacker by uploading specially created files to an ftp server. The trojan can also download and run additional files from ftp and http servers.

To disguise its actions, Montp utilizes stealth techniques.

The first Montp variant was first discovered in April 2004. The last, Montp.F variant was found on 6-7th of June 2004.

Installation

The trojan's main file is a PE executable 44032 bytes long packed with PECompact file compressor. The Trojan drops a DLL file which is 241664 bytes long and is not packed. When the executable file is run, it installs itself to the system.

During installation, the trojan copies its file to a folder named '\qmin\ subfolder' in the Windows System folder using a randomly generated name, for example 'adpgcjca.exe'.

Then a DLL file named 'qmin2.dll'‚ is dropped to Windows System folder and activated. This DLL is used to hook certain APIs in order to intercept HTTPS requests. It also hides the malware's files and Registry keys (stealth).

Also the 'xtempx.xxx' file is created by the Trojan in Windows System folder.

Data Theft

The dropped DLL component checks if a user opens any of the following URLs using HTTPS protocol (bank names are replaced with ):

  • .co.uk
  • .co.uk
  • .com
  • .tv
  • .com
  • .com
  • .com.au
  • .com.au
  • .com
  • .co.uk
  • .co.uk
  • .com
  • .co.uk
  • .co.uk
  • .co.uk
  • .com
  • .com.au
  • .com
  • .com
  • .co.nz
  • .com
  • .com
  • .com
  • .se
  • .com.vn
  • .com
  • .com
  • .com
  • .de
  • .com
  • .com
  • .com
  • .com.hk
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .de
  • .com.my
  • .com.my
  • .de
  • .com.au
  • .com
  • .net.au
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .de
  • .de
  • .com.hk
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .co.nz
  • .co.nz
  • .com
  • .com.au
  • .com.au
  • .com
  • .com

If a user opens any of those URLs (which mostly belong to on-line banks), the Trojan's DLL creates a file with a corresponding name. However, for several URLs the Trojan creates a file with a common name. The following files are created by the Trojan:

  • _co_uk.pst
  • _co_uk.pst
  • _com.pst
  • .pst
  • _com.pst
  • .pst
  • _com_au.pst
  • _com_au.pst
  • _com.pst
  • _CO_UK.pst
  • _CO_UK.pst
  • _COM.pst
  • _CO_UK.pst
  • _co_uk.pst
  • _co_uk.pst
  • instant1f.pst (used for several URLs)

Also the Trojan's DLL checks for URLs containing any of the following strings:

  • zwallet.com
  • .cl
  • .ru
  • .ua
  • .o2.co.uk
  • ytv.com
  • yourastrologysite.com
  • .edu
  • yes.com.hk
  • yagma.com
  • mail
  • serviticket.com
  • sierraclub.org
  • wrem.sis.yorku.ca
  • worth1000.com
  • worldwinner.com
  • delawarenorth.com
  • .bg
  • uwaterloo.ca
  • t-mobile.com
  • .ac.uk
  • willhill.com
  • bigpond.net.au
  • intel.com
  • webzdarma.cz
  • nwa.com
  • sap-ag.de
  • guidehome.com
  • microsoft.com
  • .il
  • .ust.hk
  • .fi
  • .ac.nz
  • .sk
  • .ac.at
  • unb.ca
  • ubc.ca
  • sheridanc.on.ca
  • queensu.ca
  • mcmaster.ca
  • mcgill.ca
  • carleton.ca
  • douglas.bc.ca
  • .hr
  • comcast.net
  • webassign.net
  • there.com
  • uoguelph.ca
  • uottawa.ca
  • .jp
  • ych.com
  • icq.com
  • .tw
  • watchguard.com
  • walgreens.com
  • aircanada.ca
  • ibm.com
  • opusit.com.sg
  • vutbr.cz
  • vpost.com.sg
  • .md
  • vodafone
  • virginmobileusa.com
  • virginblue.com.au
  • mcafee.com
  • videotron.com
  • victoriassecret.com
  • veloz.com
  • vasa.slsp.sk
  • .com
  • uscitizenship.info
  • uscden.net
  • usafis.org
  • yesasia.com
  • ups.com
  • ucas.co.uk
  • uwindsor.ca
  • uoguelph.ca
  • unixcore.com
  • united.intranet.ual.com
  • preschoicefinancial.com
  • yorku.ca
  • trustinternational.com
  • trust1.com
  • trivita.com
  • travelcommunications.co.uk
  • travelclub.swiss.com
  • travel.priceline.com
  • travel.com.au
  • towerhobbies.com
  • game
  • hp.com
  • iprimus.com.au
  • iinet.net.au
  • music
  • ssdcl.com.sg
  • datasvit.net
  • starhubshop.com.sg
  • 012.net
  • stanfordalumni.org
  • .cz
  • tdcwww.net
  • tmi-wwa.com
  • tm.net.my
  • tirerack.com
  • ti.com
  • ultrastar.com
  • ticketmaster.com
  • three.com.hk
  • theaa.com
  • tepore.com
  • recruitsoft.com
  • freedom.net
  • telstra.com
  • telpacific.com.au
  • techdata.com
  • quickbooks.com
  • tbihosting.com
  • inlandrevenue.gov.uk
  • symantec
  • sony
  • .kz
  • dell
  • cablebg.net
  • supergo.com
  • look.ca
  • maximonline.com
  • streamload.com
  • apple.com
  • puma.com
  • a-net.com
  • webtrendslive.com
  • gigaisp.net
  • ihost.com
  • monster.com
  • .sok
  • lanck.net
  • farlep.net
  • .kr
  • speedera.net
  • kundenserver.de
  • ingrammicro.com
  • campoints.net
  • ains.com.au
  • srp.org.sg
  • sqnet.com.sg
  • adaptec.com
  • worldgaming.net
  • sportodds.com
  • sportingbet.com
  • spiritair.com
  • swamp.lan
  • soundclick.com
  • hkuspace.org
  • soccer.com
  • solo3..fi
  • snapfish.com
  • cometsystems.com
  • flextronics.com
  • esdlife.com
  • site-secure.com
  • singaporeair.com
  • sims.sfu.ca
  • simplyhotels.com
  • singnet.com.sg
  • silicon-power.com
  • signup.sprint.ca
  • shutterfly.com
  • shopundco.com
  • zoovy.com
  • go-fia.com
  • shoppersoptimum.ca
  • shopadmin.daum.net
  • o2online.de
  • ecompanystore.com
  • shkcorpws5.shkp.com
  • sfa.prudential.com.sg
  • hku.hk
  • vodafone.co.uk
  • cic.gc.ca
  • sfgov.org
  • rogers.com
  • macau.ctm.net
  • xs4all.nl
  • sympatico.ca
  • ariba.com
  • liveperson.net
  • sephora.com
  • senecac.on.ca
  • canon-europe.com
  • xtra.co.nz
  • t-mobile.co.uk
  • selfmgmt.com
  • securitymetrics.com
  • securewebexchange.com
  • western-inventory.com
  • playstation.com
  • imrworldwide.com
  • secureserver.net
  • secureordering.com
  • imrworldwide.com
  • securecart.net
  • wn.com.au
  • webeweb.net
  • mgm-mirage.com
  • w2express.com
  • vandyke.com
  • ubi.com
  • tsn.cc
  • trekblue.com
  • tickle.com
  • thewheelconnection.com
  • telusmobility.com
  • starbiz.net.sg
  • sparknotes.com
  • sparkart.com
  • sms.ac
  • billerweb.com
  • shaw.ca
  • safesite.com
  • register.com
  • oztralia.com
  • ordering.co.uk
  • orcon.net
  • optusnet.com.au
  • onlineaccess.net
  • oberon-media.com
  • nzqa.govt.nz
  • novuslink.net
  • nike.com.hk
  • netspeed.com.au
  • netfirms.com
  • netbilling.com
  • nai.com
  • nacelink.com
  • mysylvan.com
  • mouse2mobile.com
  • .com.au
  • lkw-walter.com
  • kent.net
  • reuters.com
  • intuitcanada.com
  • infusion-studios.com
  • indigosp.com
  • idx.com.au
  • hotbar.com
  • hostdozy.com
  • hilton.com
  • gevalia.com
  • fredericks.com
  • ezpeer.com
  • europeonline.com
  • e-registernow.com
  • emetrix.com
  • elsevier
  • element5.com
  • elance.com
  • earthport.com
  • directsex.com
  • directnic.com
  • deluxepass.com
  • delias.com
  • konetic.org
  • customersvc.com
  • c1hrapps.com
  • bnpparibas.net
  • .com
  • bearshare.com
  • authorize.net
  • advisor.com
  • adultfriendfinder.com
  • acadiau.ca
  • yimg.com
  • sebra.com
  • seatbooker.net
  • searchfit.org
  • eutelsat.net
  • carleton.ca
  • upjs.sk
  • scicollege.org.sg
  • sciamdigital.com
  • ebay
  • s-central.com.au
  • sbc.com
  • samsunggsbn.com
  • sammikk.com

Information from webpages intercepted this way is collected in the file named 'global1f.pst'. The trojan's EXE file then processes PST files created by the DLL component, except for the files 'instant1f.pst' and 'global1f.pst', which are uploaded to an FTP site 'as is'.

After processing the PST files created for certain banks, the Trojan creates corresponding .INI files with such information as user's name, customer ID, date of birth, passwords, PINs, account numbers and other important information. The following files are created after processing of bank-related PST files:

  • _co_uk.ini
  • .ini
  • _co_uk.ini
  • .ini
  • .ini
  • .ini
  • .ini
  • .ini
  • _co_au.ini
  • .ini
  • .ini
  • .ini
  • .ini
  • .ini

The files with collected data are uploaded to an ftp site to directories named 'MAIN', 'FILT' and 'SPAM'. Sorted stolen data from major banks stored in .INI files is uploaded to the 'MAIN' folder, data stolen from other banks, stored in 'instant1f.pst' file is uploaded to 'FILT' folder and finally the 'global1f.pst' file with data collected from different URLs is uploaded to SPAM folder.

Payload

Montp modifies the HOSTS file to redirect the domain name 'web.da-us.citibank.com' to the IP address 66.98.244.59.

The malware attempts to download and run a file named 'update8.exe' from the 'www.projecx.net' website. At the moment of creation of this description, that file was not accessible any more. Additionally the Trojan attempts to download and run the file named 'update.exe' from an ftp server where the trojan uploads stolen data.

The trojan also sets 'about:blank' page as IE startup page.

Montp looks for and terminates processes with the following names:

  • ARMOR2NET.EXE
  • SAVSCAN.EXE
  • NPROTECT.EXE
  • NVSVC32.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JEDI.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

Most of these names belong to anti-virus and firewall software.

Registry Changes

The startup key is created for the Trojan's executable file in the Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] ‚‚ "qmin" = "%WinSysDir"\qmin\.exe"

Additionally, the Trojan creates the following Registry keys:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion] ‚‚ "qmin"
  • [HKCU\Software\Microsoft\Windows\] ‚‚ "qmax"

The last key is set at the beginning of data stealing process and then deleted.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More